dinislage/puppet-fail2ban
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dinislage:v1.2.0
Branches Tags
dinislage:master dinislage:osfamily
dinislage:v1.3.1 dinislage:v1.3.0 dinislage:v1.2.2 dinislage:v1.2.1 dinislage:v1.2.0 dinislage:v1.1.2
...
compare: dinislage:master
Branches Tags
dinislage:osfamily dinislage:master
dinislage:v1.3.1 dinislage:v1.3.0 dinislage:v1.2.2 dinislage:v1.2.1 dinislage:v1.2.0 dinislage:v1.1.2

26 Commits
v1.2.0 ... master

Author SHA1 Message Date
Javier Bértoli
95b1d1231f Merge pull request #16 from lazyfrosch/master 
Added protocol as parameter to fail2ban jails
 2014-09-15 06:36:04 -03:00
Markus Frosch
7ae861c216 Add protocol parameter to jail define 2014-09-12 18:14:50 +02:00
Markus Frosch
70c6bf4a88 Enable puppet-lint in Travis checks 2014-09-12 18:13:52 +02:00
Markus Frosch
50210d9cc3 Fix puppet-lint indention warnings 2014-09-12 12:14:32 +02:00
Markus Frosch
52b3523d4d Let puppet-lint checks pass when directory is named "puppet-fail2ban" 2014-09-12 12:14:32 +02:00
Javier Bértoli
de94a58c3e Add Rakefile and .rspec 2014-05-06 21:02:59 -03:00
Javier Bértoli
a0fae48b67 Bump version 2014-05-06 20:48:17 -03:00
Javier Bértoli
f9e4cfa10b Merge pull request #15 from juliogonzalez/master 
Add parameters to specify source dir owner and group
 2014-05-06 10:53:06 -03:00
Julio Gonzalez Gil
2e68e4259a Add parameters to specify source dir owner and group 2014-05-05 21:41:01 +02:00
Javier Bértoli
0cdcd5b673 Release v1.3.1 2014-02-11 09:00:40 -03:00
Javier Bértoli
12dc849ad3 Fix ignoreip computation in jail.local template (patch contributed by @gwarf) 2014-02-11 08:58:47 -03:00
Javier Bértoli
47f47e784d Bump minor version after issue #14 2013-12-26 16:22:04 -03:00
Javier Bértoli
af31e1fe07 Merge branch 'master' of github.com:netmanagers/puppet-fail2ban 2013-12-26 16:17:58 -03:00
Javier Bértoli
dab8e07069 Merge pull request #14 from grooverdan/ignore_ip 
add ignoreip to jail options
 2013-12-26 10:45:44 -08:00
Daniel Black
a4b5dae912 add ignoreip to jail options 2013-12-26 11:31:10 +00:00
Javier Bértoli
a7458e33ce Release v1.2.2 2013-12-23 18:23:37 -03:00
Javier Bértoli
d71e25c0ae Update travis configuration 2013-12-23 18:04:15 -03:00
Javier Bértoli
be537ee29b Merge branch 'AddOnline-fix-filter-source' 2013-12-23 18:03:34 -03:00
Javier Bértoli
8e00da08a5 Merge branch 'fix-filter-source' of https://github.com/AddOnline/puppet-fail2ban into AddOnline-fix-filter-source 2013-12-23 17:46:06 -03:00
Romain THERRAT
582b6a1788 Fix test with 1.0 rspec-puppet version 2013-12-23 18:41:15 +01:00
Javier Bértoli
344ed1dbbb Merge branch 'fix-filter-source' of https://github.com/AddOnline/puppet-fail2ban into AddOnline-fix-filter-source 2013-12-23 13:58:50 -03:00
Romain THERRAT
1f2c9a8e8e Fix filter with a specified source 2013-12-23 17:18:46 +01:00
Javier Bértoli
ceff3a4ed5 Release v1.2.1 2013-11-26 11:31:23 -03:00
Javier Bértoli
32fcff31f8 Merge branch 'master' of github.com:netmanagers/puppet-fail2ban 2013-11-26 11:28:09 -03:00
Javier Bértoli
2c4731e5c9 Merge pull request #12 from mburger/master 
fixed the process name for redhat bases distros
 2013-11-26 06:26:53 -08:00
Markus Burger
5eba942fcf fixed the process name for redhat bases distros 
Change-Id: I9885235550a1bca8109122812f7b50f39dda12d1
 2013-11-26 14:49:12 +01:00
12 changed files with 124 additions and 34 deletions
Expand all files Collapse all files

33
.travis.yml
View File

@@ -1,22 +1,33 @@
---
language: ruby language: ruby
rvm: rvm:
- 1.8.7 - 1.8.7
- 1.9.3 - 1.9.3
script: - 2.0.0
- "rake spec SPEC_OPTS='--format documentation'" script: "bundle exec rake spec SPEC_OPTS='--format documentation' && bundle exec rake test"
branches:
only:
master
env: env:
- PUPPET_VERSION="~> 2.6.0" matrix:
- PUPPET_VERSION="~> 2.7.0" - PUPPET_GEM_VERSION="~> 2.7.0"
- PUPPET_VERSION="~> 3.0.0" - PUPPET_GEM_VERSION="~> 3.0.0"
- PUPPET_VERSION="~> 3.1.0" - PUPPET_GEM_VERSION="~> 3.1.0"
- PUPPET_GEM_VERSION="~> 3.2.0"
matrix: matrix:
allow_failures:
# - rvm: ruby-head
exclude: exclude:
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 2.7.0"
- rvm: 1.9.3 - rvm: 1.9.3
env: PUPPET_VERSION="~> 2.6.0" env: PUPPET_GEM_VERSION="~> 2.7.0"
gemfile: .gemfile - rvm: 2.0.0
- rvm: 1.9.3 env: PUPPET_GEM_VERSION="~> 2.7.0"
env: PUPPET_VERSION="~> 2.7.0" - rvm: 2.0.0
gemfile: .gemfile env: PUPPET_GEM_VERSION="~> 3.0.0"
- rvm: 2.0.0
env: PUPPET_GEM_VERSION="~> 3.1.0"
gemfile: .gemfile gemfile: .gemfile
notifications: notifications:
email: email:

2
Modulefile
View File

@@ -1,5 +1,5 @@
name 'netmanagers-fail2ban' name 'netmanagers-fail2ban'
version '1.2.0' version '1.4.0'
author 'Javier Bertoli' author 'Javier Bertoli'
license 'Apache2' license 'Apache2'
project_page 'http://www.netmanagers.com.ar' project_page 'http://www.netmanagers.com.ar'

40
Rakefile
View File

@@ -1,5 +1,41 @@
require 'rubygems'
require 'puppetlabs_spec_helper/rake_tasks' require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint' require 'puppet-lint/tasks/puppet-lint'
PuppetLint.configuration.send('disable_80chars') require 'puppet-syntax/tasks/puppet-syntax'
# These two gems aren't always present, for instance
# on Travis with --without development
begin
require 'rspec-system/rake_task'
rescue LoadError
end
begin
require 'puppet_blacksmith/rake_tasks'
rescue LoadError
end
PuppetLint.configuration.send("disable_80chars")
PuppetLint.configuration.log_format = "%{path}:%{linenumber}:%{check}:%{KIND}:%{message}"
PuppetLint.configuration.fail_on_warnings = true
PuppetLint.configuration.relative = true
# Forsake support for Puppet 2.6.2 for the benefit of cleaner code.
# http://puppet-lint.com/checks/class_parameter_defaults/
PuppetLint.configuration.send('disable_class_parameter_defaults') PuppetLint.configuration.send('disable_class_parameter_defaults')
# http://puppet-lint.com/checks/class_inherits_from_params_class/
PuppetLint.configuration.send('disable_class_inherits_from_params_class')
exclude_paths = [
"pkg/**/*",
"vendor/**/*",
"spec/**/*",
]
PuppetLint.configuration.ignore_paths = exclude_paths
PuppetSyntax.exclude_paths = exclude_paths
desc "Run syntax, lint, and spec tests."
task :test => [
:syntax,
:lint,
:spec,
]

5
manifests/filter.pp
View File

@@ -92,7 +92,10 @@ define fail2ban::filter (
$manage_file_content = $filtertemplate ? { $manage_file_content = $filtertemplate ? {
'' => undef, '' => undef,
default => template($filtertemplate), default => $filtersource ? {
'' => template($filtertemplate),
default => undef,
}
} }
file { "${real_filtername}.local": file { "${real_filtername}.local":

30
manifests/init.pp
View File

@@ -31,6 +31,14 @@
# (source => $source_dir , recurse => true , purge => true) # (source => $source_dir , recurse => true , purge => true)
# Can be defined also by the (top scope) variable $fail2ban_source_dir_purge # Can be defined also by the (top scope) variable $fail2ban_source_dir_purge
# #
# [*source_dir_owner*]
# Configuration directory owner
# Default: root
#
# [*source_dir_group*]
# Configuration directory group
# Default: root
#
# [*template*] # [*template*]
# Sets the path to the template to use as content for main configuration file # Sets the path to the template to use as content for main configuration file
# If defined, fail2ban main config file has: content => content("$template") # If defined, fail2ban main config file has: content => content("$template")
@@ -278,6 +286,8 @@ class fail2ban (
$source = params_lookup( 'source' ), $source = params_lookup( 'source' ),
$source_dir = params_lookup( 'source_dir' ), $source_dir = params_lookup( 'source_dir' ),
$source_dir_purge = params_lookup( 'source_dir_purge' ), $source_dir_purge = params_lookup( 'source_dir_purge' ),
$source_dir_owner = params_lookup( 'source_dir_owner' ),
$source_dir_group = params_lookup( 'source_dir_group' ),
$template = params_lookup( 'template' ), $template = params_lookup( 'template' ),
$service_autorestart = params_lookup( 'service_autorestart' , 'global' ), $service_autorestart = params_lookup( 'service_autorestart' , 'global' ),
$options = params_lookup( 'options' ), $options = params_lookup( 'options' ),
@@ -412,18 +422,18 @@ class fail2ban (
### Managed resources ### Managed resources
package { $fail2ban::package: package { $fail2ban::package:
ensure => $fail2ban::manage_package, ensure => $fail2ban::manage_package,
noop => $fail2ban::noops, noop => $fail2ban::noops,
} }
service { 'fail2ban': service { 'fail2ban':
ensure => $fail2ban::manage_service_ensure, ensure => $fail2ban::manage_service_ensure,
name => $fail2ban::service, name => $fail2ban::service,
enable => $fail2ban::manage_service_enable, enable => $fail2ban::manage_service_enable,
hasstatus => $fail2ban::service_status, hasstatus => $fail2ban::service_status,
pattern => $fail2ban::process, pattern => $fail2ban::process,
require => Package[$fail2ban::package], require => Package[$fail2ban::package],
noop => $fail2ban::noops, noop => $fail2ban::noops,
} }
if $fail2ban::manage_file_source if $fail2ban::manage_file_source
@@ -497,6 +507,8 @@ class fail2ban (
source => $fail2ban::source_dir, source => $fail2ban::source_dir,
recurse => true, recurse => true,
purge => $fail2ban::bool_source_dir_purge, purge => $fail2ban::bool_source_dir_purge,
owner => $fail2ban::source_dir_owner,
group => $fail2ban::source_dir_group,
force => $fail2ban::bool_source_dir_purge, force => $fail2ban::bool_source_dir_purge,
replace => $fail2ban::manage_file_replace, replace => $fail2ban::manage_file_replace,
audit => $fail2ban::manage_audit, audit => $fail2ban::manage_audit,

17
manifests/jail.pp
View File

@@ -15,7 +15,9 @@
# Defaults to true # Defaults to true
# $filter - The filter rule to use. # $filter - The filter rule to use.
# If empty, defaults to == $jailname. # If empty, defaults to == $jailname.
# $ignoreip - Don't ban a host which matches an address in this list.
# $port - The port to filter. It can be an array of ports. # $port - The port to filter. It can be an array of ports.
# $protocol - The protocol for this jail's action.
# $logpath - The log file to monitor # $logpath - The log file to monitor
# $maxretry - How many fails are acceptable # $maxretry - How many fails are acceptable
# $action - The action to take when fail2ban finds $maxretry $filter-matching # $action - The action to take when fail2ban finds $maxretry $filter-matching
@@ -29,7 +31,9 @@ define fail2ban::jail (
$order = '', $order = '',
$status = '', $status = '',
$filter = '', $filter = '',
$ignoreip = '',
$port = '', $port = '',
$protocol = '',
$action = '', $action = '',
$logpath = '', $logpath = '',
$maxretry = '', $maxretry = '',
@@ -62,6 +66,14 @@ define fail2ban::jail (
default => $filter, default => $filter,
} }
$array_ignoreip = is_array($ignoreip) ? {
false => $ignoreip ? {
'' => [],
default => [$ignoreip],
},
default => $ignoreip,
}
$array_port = is_array($port) ? { $array_port = is_array($port) ? {
false => $port ? { false => $port ? {
'' => [], '' => [],
@@ -70,6 +82,11 @@ define fail2ban::jail (
default => $port, default => $port,
} }
$real_protocol = $protocol ? {
'' => undef,
default => $protocol,
}
$array_action = is_array($action) ? { $array_action = is_array($action) ? {
false => $action ? { false => $action ? {
'' => [], '' => [],

7
manifests/params.pp
View File

@@ -29,8 +29,9 @@ class fail2ban::params {
} }
$process = $::operatingsystem ? { $process = $::operatingsystem ? {
/(?i:Debian|Ubuntu|Mint)/ => 'fail2ban-server', /(?i:Debian|Ubuntu|Mint)/ => 'fail2ban-server',
default => 'fail2ban', /(?i:RedHat|Centos|Scientific|Fedora|OracleLinux)/ => 'fail2ban-server',
default => 'fail2ban',
} }
$process_args = $::operatingsystem ? { $process_args = $::operatingsystem ? {
@@ -132,6 +133,8 @@ class fail2ban::params {
$template = '' $template = ''
$source_dir = '' $source_dir = ''
$source_dir_purge = false $source_dir_purge = false
$source_dir_owner = 'root'
$source_dir_group = 'root'
$options = '' $options = ''
$service_autorestart = true $service_autorestart = true
$version = 'present' $version = 'present'

9
spec/classes/fail2ban_spec.rb
View File

@@ -97,12 +97,10 @@ enabled = true/) }
describe 'Test customizations - template' do describe 'Test customizations - template' do
let(:params) { {:template => "fail2ban/spec.erb" , :options => { 'opt_a' => 'value_a' } } } let(:params) { {:template => "fail2ban/spec.erb" , :options => { 'opt_a' => 'value_a' } } }
it 'should generate a valid template' do it 'should generate a valid template' do
content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:content] should contain_file('fail2ban.local').with_content(/fqdn: rspec.example42.com/)
content.should match "fqdn: rspec.example42.com"
end end
it 'should generate a template that uses custom options' do it 'should generate a template that uses custom options' do
content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:content] should contain_file('fail2ban.local').with_content(/value_a/)
content.should match "value_a"
end end
end end
@@ -136,8 +134,7 @@ enabled = true/) }
} }
end end
it 'should not automatically restart the service, when service_autorestart => false' do it 'should not automatically restart the service, when service_autorestart => false' do
content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:notify] should contain_file('fail2ban.local').with_notify(nil)
content.should be_nil
end end
end end

3
spec/defines/fail2ban_filter_spec.rb
View File

@@ -61,7 +61,7 @@ b = 2
not c not c
" "
end end
it { should contain_file('sample2.local').with_path('/etc/fail2ban/filter.d/sample2.local').with_content(expected) } it { should contain_file('sample2.local').with_path('/etc/fail2ban/filter.d/sample2.local').with_content(expected) }
it { should contain_file('sample2.local').without_source } it { should contain_file('sample2.local').without_source }
end end
@@ -75,6 +75,7 @@ not c
end end
it { should contain_file('sample3.local').with_path('/etc/fail2ban/filter.d/sample3.local').with_source('puppet:///some/path/to/source') } it { should contain_file('sample3.local').with_path('/etc/fail2ban/filter.d/sample3.local').with_source('puppet:///some/path/to/source') }
it { should contain_file('sample3.local').with_content(nil) }
it { should contain_file('sample3.local').without_template } it { should contain_file('sample3.local').without_template }
end end
end end

4
spec/defines/fail2ban_jail_spec.rb
View File

@@ -37,8 +37,10 @@ filter = fail2ban::jail
{ {
:name => 'sample1', :name => 'sample1',
:port => ['42', '43'], :port => ['42', '43'],
:protocol => 'udp',
:logpath => '/path/to/somelog', :logpath => '/path/to/somelog',
:enable => true, :enable => true,
:ignoreip => [ '10.3.2.0/24', '192.168.56.0/24' ],
:findtime => '9000', :findtime => '9000',
:maxretry => '5', :maxretry => '5',
:bantime => '3600', :bantime => '3600',
@@ -53,7 +55,9 @@ filter = fail2ban::jail
[fail2ban::jail] [fail2ban::jail]
enabled = true enabled = true
filter = fail2ban::jail filter = fail2ban::jail
ignoreip = 10.3.2.0/24 192.168.56.0/24
port = 42,43 port = 42,43
protocol = udp
action = iptables[name=SSH, port=ssh, protocol=tcp] action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=yourmail@mail.com] mail-whois[name=SSH, dest=yourmail@mail.com]
logpath = /path/to/somelog logpath = /path/to/somelog

6
templates/concat/jail.local-stanza.erb
View File

@@ -4,9 +4,15 @@ enabled = <%= @real_status %>
<% if @real_filter != '' -%> <% if @real_filter != '' -%>
filter = <%= @real_filter %> filter = <%= @real_filter %>
<% end -%> <% end -%>
<% if @array_ignoreip != [] -%>
ignoreip = <%= @array_ignoreip * ' ' %>
<% end -%>
<% if @array_port != [] -%> <% if @array_port != [] -%>
port = <%= @array_port * ',' %> port = <%= @array_port * ',' %>
<% end -%> <% end -%>
<% if @real_protocol -%>
protocol = <%= @real_protocol %>
<% end -%>
<% if @array_action != [] -%> <% if @array_action != [] -%>
action = <%= @array_action.join("\n\t") %> action = <%= @array_action.join("\n\t") %>
<% end -%> <% end -%>

2
templates/jail.local.erb
View File

@@ -1,6 +1,6 @@
# This file is managed by Puppet. DO NOT EDIT. # This file is managed by Puppet. DO NOT EDIT.
[DEFAULT] [DEFAULT]
ignoreip = <%= scope.lookupvar('fail2ban::ignoreip') %> ignoreip = <%= scope.lookupvar('fail2ban::ignoreip') * ' ' %>
bantime = <%= scope.lookupvar('fail2ban::bantime') %> bantime = <%= scope.lookupvar('fail2ban::bantime') %>
findtime = <%= scope.lookupvar('fail2ban::findtime') %> findtime = <%= scope.lookupvar('fail2ban::findtime') %>
maxretry = <%= scope.lookupvar('fail2ban::maxretry') %> maxretry = <%= scope.lookupvar('fail2ban::maxretry') %>